Horizon Alert
Summary of the vulnerability and why it matters
A security vulnerability in Capgo's cross-domain single sign-on feature could allow an attacker with administrative access to merge victim accounts by exploiting email matching without proper authorization checks. This could lead to unauthorized access to user accounts, organizations, and sensitive data.
- Attackers can take over accounts via SSO.
- Important for controlling access and data security.
- Confirm relevance and understand potential exposure.
Attack Path
How an attacker could exploit the issue
An attacker with administrative privileges in an organization using the affected software can leverage a misconfigured Single Sign-On (SSO) setup. By controlling a malicious identity provider, the attacker can craft fake authentication responses that trick the software into merging a victim's account with their own, granting them access to the victim's data and organization.
- Requires administrator access and control over an identity provider.
- Triggered by forging SAML assertions with victim email addresses.
- Risk of unauthorized access to accounts and data.
Live Threat
Current exploitation, exposure, and threat context
Attackers with enterprise organization administrator access and a malicious identity provider could merge arbitrary victim accounts by forging SAML assertions with victim email addresses, granting them full access to victim accounts, organizations, and data. This could occur when the provision-user endpoint does not validate SSO provider domain authorization.
- Victim accounts and organization data.
- Forged SAML assertions via malicious IdP.
- Full account and data takeover.
Operational Fix
Recommended remediation, mitigation, and detection steps
The vulnerability resides in a user provisioning endpoint, impacting how Capgo handles Single Sign-On (SSO) and user account merging. This means application owners and platform teams are likely responsible for identifying and remediating this issue, with potential involvement from security and vendor management teams. The first practical step is to confirm where Capgo is deployed, assess its reachability and business criticality, identify the accountable owner, and then prioritize remediation actions.
- App and platform teams own the fix.
- Verify Capgo deployment and reachability.
- Plan remediation based on identified risk.